[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: AttributeSelector initial context as resource node
Consider adding an optional attribute on <AttributeSelector> to start at the resource node instead of the <Content> element. This would only have to be supported under a hierarchical profile. The attribute could be named "ResourceContextPath", and would be used instead of "RequestContextPath" when the evaluation should start from the node on which a decision is wanted. When writing policies for hierarchical resources, it is sometimes convenient to express a condition based on the value of another node in the request content, relative to the resource node on which the decision is requested. <AttributeSelector> only allows xpath expressions with initial context of the <Content> request element. For example, suppose the resource content looks like this: <node xmlns="my-namespace"> <att name="att1">foo</att> <node> <att name="att1">foo</att> <att name="att2">abc</att> </node> <node> <att name="att1">bar</att> <att name="att2">xyz</att> </node> </node> I have a business rule that says no node with att1="bar" should have an ancestor node whose att1="foo". (Conversely, no node with att1="foo" should have a descendant with att1="bar". But I don't want a decision on the ancestor, I want a decision for each descendant.) I want decisions on all nested nodes, so my request will include the appropriate scope and resource-id attributes for an xpath-expression multi-resource request. The problem is writing the rule. Nodes can be nested to any depth. The rule can be stated as: "if the resource att1='bar', and any ancestor node has att1='foo', then deny; otherwise permit". This goes directly into a XACML Policy with two Rules. The essential parts of the policy might look like this (using the proposed "ResourceContextPath" attribute on AttributeSelector): <Policy xmlns:mns="my-namespace" RuleCombiningAlgId="...first-applicable"> <Target> <AnyOf> <AllOf> <Match MatchId="urn:oasis:names:tc:xacml:3.0:xpath-node-match"> <AttributeValue DataType="urn:oasis:names:tc:xacml:3.0:data-type:xpathExpression" XPathCategory="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" >mns:node//mns:node</AttributeValue> <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:xpath" DataType="urn:oasis:names:tc:xacml:3.0:data-type:xpathExpression"/> </Match> </AllOf> </AnyOf> </Target> <Rule RuleId="deny-bar-if-ancestor-foo" Effect="Deny"> <Target> <AnyOf> <AllOf> <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">bar</AttributeValue> <AttributeSelector ResourceContextPath="mns:att[@name='att1'] DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"/> </Match> <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">foo</AttributeValue> <AttributeSelector ResourceContextPath="ancestor::mns:node/mns:att[@name='att1']" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"/> </Match> </AllOf> </AnyOf> </Target> </Rule> <Rule RuleId="permit-otherwise" Effect="Permit"/> </Policy> If there is another way to address this use case using existing XACML features I would like to know about it. --Paul Tyson
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]